Vulnerability in EPiServer.Forms
I am some troubles trying to change the from address on an xformpostedData object. My action is XFormPost(XformPostedData xformPostedData) and inside, i see that xformposteddata has a SelectedSubmit object but all the values are readonly. This object has a Sender which is readonly as well. Has anyone had a simliar experiance and/or a resolution to set this. Thanks in advance.
Just an idea, haven't tested:
protected override bool ProcessXFormAction(Controller controller, XFormPostedData xformPostedData)
var copy = new NameValueCollection(controller.Request.Form);
copy["from"] = "new sender";
// rest of body
any updates about this issue? I have the same problem and I haven't manage to figure out how to do it.
Seems like code fragment above is not working :)
Nope, I already tried that, it doesn't seems to work.
Aparently, everyting that is on SelectedSubmit object is read only. Would that be other way to change the sender before posting the form?
One hacky workaround would be to change "from=" parameter in submit action button in the form on client-side. As it turns out after model binder XFormPostedData object is readonly.
Thanks Valdis for the reply.
Since the "from=" parameter cannot be change, do you know if is there any posibility to add to the form another parameter like "Reply To" and not to try to hack the "from=" parameter.
It will be very usefull for me !
Looking at the model binder don't think it will be available for you in action (will be ignored by xform fragment parser).
Well, if at this point is not possible to add/update properties for the SelectedSubmit object, is there any other way to customize the form.
What I have, is a very basic form with an input field for customer email and a submit button that saves into db and sends email, witch is working now, but I want in that email to have the "Reply To" the email that customer inserts into that input field.
Do you know if that would be possible?
Can you clarify a bit "I want in that email to have the "Reply To" the email that customer inserts into that input field.", it's a bit strangly formed sentence, so I am not entirely sure what you want to do?
What you could do is not use the XForm email sending. Instead, just save to the DB and put the rest of the properties that are normally on the XForm (such as sender and recipient, etc) on a block which contains the XForm (or page) and then do whatever you want on submitted action. // That is, if I understood your requirements :)
well sorry for the wierd explanation of the situation.
The thing is that I have a simple form in a episerver block and that simple form has a input, where customer can insert his email address called "Customer Email", and a submit button that saves informations into DB and sends an email.
Now according to the form basic functionality, the sender and the receiver for that email are seted from the "Properties for button" when editing the form. What I want is to add the email address that customer inserts in the "Customer Email" input field to the sending email functionality as a "Reply to". I hope it's more clear now.
I'm not sure if something like that is handled by the xforms, as far as I saw it doesn't, but would that be any workaround for that? Or should I consider not to use xforms for that...?
I guess, if form shouldn't be modifed by editors - fastest workaround would be to implement just pure simple form. If editors are modifying form - you could handle sending XForm as email manually then.
Were you able to find a solution to this? I need to intercept the form-sending and update the recipient email address before proceeding.
I am hoping you didn't end up developing the form outside XForms.
I didn't manage to figure it out, so I end up developing a custom form without XForms.
If you find something, can you please can you share some ideas here..? I'm still curous if it's possible.
I don't think you can switch out the recepient of the build in XForm send email functionality. But instead you can set the form to not send any emails and only save the data to the database. Then do this:
By intercepting the after post event you can code your own send Email functionality that can take whatever field value from the posted xform, e.g. the UsersEmail field.
I agreed with @Toni and in our implementation, we leave user free to create/edit form with whatever action on submit. Hooked up to XFormActionHelper.AfterSubmitPostedData and send email with your template and recepient
I was able to intercept the form sending by registering a handler to the event BeforeSubmitPostedData in the global.asax.
XFormActionHelper.BeforeSubmitPostedData += FormBlockController.BeforeSubmitPostedData;
And then inside the BeforeSubmitPostedData method, I had to do something like:
// Change MailFrom property
e.FormData.MailFrom = formValues.Get("EmailAddressFrom");
// Change MailTo property
e.FormData.MailTo = formValues.Get("EmailAddressTo");
However, the message body of the email could not be updated programmatically (there is no way currently as per EPiServer 8 documentation).
Our client requires a specific email body format, so I ended up removing the sending of email from the ChannelOptions and used SmtpClient to do the message sending.
Works perfectly now. Thanks for everyone's input!
Cool, looks nice.
Thanks for sharing :D